PsLoglist

The Windows event logs store a wealth of information about the health and security of your systems, applications, and user accounts. Harvesting event-log data can be an important part of managing your Windows network, but many of the available tools for managing network-wide event logs are commercial or require you to be an expert in Windows Management Interface (WMI) scripting or SQL query syntax. PsLoglist, a free tool from Sysinternals, is a light-weight, command-line event-log viewer that lets you easily gather events from logs across your network, filter logs according to event sources or IDs, and collect log data from specific dates or times. PsLoglist works on Windows NT 4.0 and later, including 64-bit Windows versions.

What Goes InFigure 1 shows the command-line syntax for PsLoglist's many options. If you run PsLoglist without any command-line arguments, it prints the entire contents of the local system's System log. Figure 2, shows the information that PsLoglist displays. This information mirrors that which the Windows Event Viewer shows, including the event record number (shown in brackets), source, type, computer, timestamp, ID, and text.

When you want to dump the contents of a different event log (e.g., Security log, Application log, DNS log), enter the first few letters of the log name. For example, the following command dumps the contents of the File Replication Service log, a log that's present on domain controllers (DCs):

psloglist file

When you want to clear an event log after extracting its contents, include the -c switch in the command:

psloglist file -c

Viewing a local server's event logs can be useful, but PsLoglist's real power is its ability to access event logs on remote systems. To take advantage of this capability, include the name of a remote computer on the command line, prefixing the name with a double backslash (\\). If the account from which you're running PsLoglist doesn't have local Administrator access on the remote computer, you can include alternate credentials by using the -u switch. If you choose not to use the -p switch to include the account password, PsLoglist prompts you to enter the password. PsLoglist masks your input and uses standard Windows authentication, so alternate credentials aren't passed in clear text.

PsLoglist's @ switch makes it easy to aggregate event-log data from multiple computers. List the computer names (with or without the double-backslash prefix) on separate lines in a text file, then append the name of that file to the @ switch. The following command uses this technique to print the Application log from the systems listed in a file named computers.txt.

psloglist @computers.txt application

Event Viewer processes event text by extracting insertion strings from an event-log record, then embedding those strings into corresponding format strings stored in event source DLLs that the system and applications register. Most event-viewing applications, including Event Viewer, display only the insertion strings (not the full text) for records that reference event source DLLs that aren't present on the local system. This makes the text unreadable. One of the features that makes PsLoglist unique is that it processes such strings by using the source DLLs from remote systems. However, this feature requires that the remote system's default administrative share (Admin$) be enabled and accessible and that the event source DLLs be located under the \Windows directory. Be sure that this is the case on remote systems before using PsLoglist to gather data from those systems, or the tool won't be able to display full event text.

What Comes Out PsLoglist offers several options that affect its output format. A common use of PsLoglist is to collect event-log data from several systems, then import that data into a SQL database or Microsoft Excel spreadsheet. PsLoglist's -s switch formats output data in comma-separated value (CSV) format, putting all the fields of an event-log record on the same output line. Excel natively understands CSV format, and the format is easy to import into databases. When you redirect CSV-formatted PsLoglist output to a file, you can also use PsLoglist to open that file in Excel by using the start command:

psloglist -s > events.csv start events.csv

Some event-log text contains commas, which is the default PsLoglist CSV field delimiter. Embedded commas will therefore confuse Excel and other CSV-import programs into thinking that such text is made up of multiple fields. If you're processing logs that contain commas in text, use the -t switch to specify a different delimiter character. The tab character is a popular CSV delimiter; the following command tells PsLoglist to use that character:

psloglist -s -t \t > events.csv

Some event-log records contain raw binary data, called extended data, that contains additional information regarding the event and that isn't easy to include in the event text. By default, PsLoglist doesn't dump extended data, but you can use the -x option to direct it to do so.

Filtering Windows event logs record an incredible amount of information, much of which reflects the normal operation of a system. Scrolling through hundreds or thousands of records looking for significant events is infeasible, so PsLoglist includes a number of filtering options that let you limit the output to the events in which you're interested.

The -f argument takes a string of letters that represent the starting letter of the event types you want PsLoglist to dump. For example, to see only errors and warnings, use a command such as

psloglist -f ew

Sometimes you might be interested in only certain event sources, or you might want to omit sources from the output. The -o option lets you specify event sources to include; the -q option lets you specify event sources to omit. Both options accept event source names within quotation marks and permit multiple source names, separated by commas. The following syntax will dump event-log records generated by the Windows Update Agent and NtServicePack sources:

psloglist -o "windows update agent","ntservicepack"

Additional event-filtering options let you narrow the output to records that have certain IDs or to exclude specific IDs. The -i option restricts printed records to those matching as many as 10 event IDs (separated by commas) and the -e option excludes records that match as many as 10 event IDs (again, separated by commas).

Many systems administrators use PsLoglist in daily scripts to dump events from the previous day. This type of filtering is possible by using the -d switch, which takes a number that PsLoglist interprets as the age in days of the oldest record you want to print. The -h switch works similarly but lets you specify the age in hours. And if you want records from within a particular date range, use the -a switch to specify the start date and the -b switch to specify the end date (with the dates formatted as dd/mm/yy).

One more filtering option is the -w switch, which tells PsLoglist to dump the records that you've specified by using other options, wait, then dump new records that match the filtering criteria, as those records generate. This filter can be useful when you want to configure another script or program to monitor PsLoglist's output and respond to event-record generation in real time, with programmed behaviors.

A Perfect Fit PsLoglist is a Swiss-army knife event log-management utility that can simplify and optimize the analysis of event logs across your enterprise. Its rich feature set and evolution over time in response to user feedback helps this tool fit almost any management scheme. You can download the tool at http://www.sysinternals.com/utilities/psloglist.html.

Microsoft Stack Master Class

Understand the complete Microsoft solution stack, how the products work together, and how to implement and maintain for a total datacenter and desktop solution. This course covers the latest technology updates including Windows Server 2016 and Windows 10 and will enable the new capabilities to be leveraged in your organization.